Ex-CIA Cyber Chief: Here's What Keeps Me Up at Night - Digital Disruption with Geoff Nielson

Summary4 min read

Podcast Summary: "Ex-CIA Cyber Chief: Here's What Keeps Me Up at Night"

Podcast Information

Title: Digital Disruption with Geoff Nielson
Host/Author: Info-Tech Research Group
Episode: Ex-CIA Cyber Chief: Here's What Keeps Me Up at Night
Release Date: July 21, 2025
Description: In this episode, Jeff converses with Andy Boyd, the former Director of the CIA's Center for Cyber Intelligence. They delve into the evolving cyber threat landscape, the balance between offensive and defensive cyber strategies, the impact of AI on cybersecurity, and offer actionable advice for organizational leaders and CISOs.

1. Introduction and Background

Jeff introduces Andy Boyd, highlighting his role as the former head of the CIA's Center for Cyber Intelligence and his experience briefing the US Cabinet on cyber threats.

"[00:50] Andy Boyd: ...The center for Cyber Intelligence is what we would call the mission manager for all things cyber CIA."

2. Role of the Center for Cyber Intelligence at CIA

Andy Boyd elaborates on the responsibilities of the Center for Cyber Intelligence, encompassing offensive cyber operations, strategic analysis, and intelligence collection related to nation-state and non-nation-state cyber threats.

"[02:16] Andy Boyd: ...CIA is an intelligence collection enterprise and an intelligence analytical enterprise."

3. Offensive vs. Defensive Cyber Capabilities

The discussion differentiates between offensive and defensive roles within cybersecurity. While the CIA focuses on strategic, offensive intelligence, defensive strategies are typically managed by other entities like CISA.

"[02:42] Andy Boyd: ...our strategic analysis looked at ... giving context ... to understand the context, but it wasn't going to tell them how to defend their network."

4. Assessing Threat Levels: Underestimation or Accurate?

Andy assesses that threat perception varies across industries. Sectors like finance are vigilant due to their critical nature, whereas others like water treatment may underestimate their cyber defenses.

"[04:24] Andy Boyd: ...the financial sector really understands it ... but ... water treatment plants ... were victims from nation state actors."

5. Key Concerns and Threats

Andy discusses existential threats posed by cyber attacks, emphasizing the financial repercussions and the vulnerability of critical infrastructure. He cites the UnitedHealthcare ransomware attack as an example of the substantial costs beyond the ransom paid.

"[06:01] Andy Boyd: ...cyber is an existential threat ... loss in revenue to UnitedHealthcare was north of $1.6 billion."

6. Advising Organizational Leaders: Key Actors to Watch

When advising leaders, Andy highlights nation-states like China, Russia, Iran, and North Korea, as well as organized crime and ransomware actors, as primary threats. He underscores the sophistication of Chinese cyber threats, such as Vault Typhoon and Salt Typhoon.

"[09:05] Andy Boyd: ...Vault Typhoon ... putting tools down on our telecommunications infrastructure ... critical infrastructure protection ... Chinese threat ... is critical."

7. The Impact of AI on Cybersecurity

AI is a double-edged sword in cybersecurity. While it amplifies the capabilities of malicious actors in social engineering and exploit development, it also enhances defensive measures through advanced threat detection and deepfake identification.

"[23:21] Andy Boyd: ...AI tools are going to help bad actors ... defenders ... AI tools in security operations centers are advancing ... detection of deepfakes."

8. Notable Cyber Attacks and Techniques

Andy reflects on sophisticated yet brazen cyber operations like Vault Typhoon and Salt Typhoon, which utilized existing vulnerabilities ("living off the land") instead of zero-day exploits, making detection more challenging.

"[28:16] Andy Boyd: ...living off the land techniques ... didn't look like nation state actors ... detected that ... exploiting our own vulnerabilities."

9. Offensive Cyber Operations and Deterrence

The conversation explores the current state of offensive cyber capabilities. Andy asserts that while deterrence is conceptually similar to traditional military deterrence (e.g., aircraft carriers), effective offensive cyber operations require meticulous planning and control, making spontaneous large-scale cyber warfare unlikely.

"[41:31] Andy Boyd: ...offensive cyber operations are really the realm of governments ... not in a state of constant cyber warfare ... cyber attacks as intelligence operations."

10. Advice for CISOs and Boards

Andy emphasizes the critical role of CISOs in organizational leadership. He advises boards to integrate CISOs into the executive suite, fostering regular dialogue to align cybersecurity strategies with business objectives. For CISOs, he recommends focusing on identity management, access control, and employee training to mitigate risks.

"[58:07] Andy Boyd: ...treat your CISOs like part of the leadership team ... identity management and access control ... train employees about phishing and social engineering."

11. Personal Anecdotes and Career Insights

Andy shares a pivotal moment in February 2022 when he was called to participate in White House-level meetings, underscoring the elevated importance of cybersecurity in national defense. This experience highlighted the integration of cyber strategies into broader national security discussions.

"[61:18] Andy Boyd: ...wake up call ... cyber defense and cyber strategic analysis is infused in everything now ... cyber warriors at the front table."

Conclusion

In this insightful episode, Andy Boyd sheds light on the complex and evolving landscape of cyber threats facing both national security and private enterprises. From the strategic roles of intelligence agencies to the practical advice for organizational leaders, the discussion underscores the necessity of robust cybersecurity measures, proactive threat detection, and the integration of cyber strategies into organizational leadership. As AI continues to shape the capabilities of both attackers and defenders, the imperative for cohesive policy, advanced technology deployment, and informed leadership becomes ever more critical in safeguarding our digital and physical infrastructure.

Loading summary

Transcript52 lines

[00:00]
Jeff
Hey, everyone. I'm super excited to be sitting down with Andy Boyd. He's the recent head of the CIA center for Cyber Intelligence. This is a guy who has briefed the US Cabinet on cyber threats to the most powerful country in the world and how they can respond. I want to know what keeps him up at night, what we should be worried about, and what intelligence is being kept from us. For news junkies like me out there, we're going to go deep on cyber, less so on traditional warfare, like what we're seeing in Iran and Israel. It should be an amazing conversation. Let's jump in. Andy, thanks so much for being here today. I really appreciate it. You are the former director of the center for Cyber Intelligence at the CIA. Maybe just to start off, can you, can you give us a flavor of what the center for Cyber Intelligence does at the CIA?
[00:51]
Andy Boyd
Good morning. Thanks, Jeff, for having me on the podcast. This is a really exciting opportunity. Yeah. So I retired from CIA back in October 2023, and for the four preceding years, I was, as you noted, the Director for the center for Cyber Intelligence. And so what, what I've said publicly about this before, and there are obviously some limitations to the level of detail I can get into, but the center for Cyber Intelligence is what we would call the mission manager for all things cyber CIA. That means offensive cyber strategic analysis and all the technology tools, engineering that goes into both of those disciplines. At the end of the day, CIA is an intelligence collection enterprise and an intelligence analytical enterprise. And so the center for Cyber Intelligence produced all the strategic intelligence for the President on down in the US Government, on nation state, non nation state cyber threats, how they related to the US Government and how it related to threats against our economy, our private sector and whatnot. But in addition to that, we were responsible for using our tools to collect intelligence across a whole array of disciplines, be it counterterrorism to near peer nation state competition. And it was a great honor to lead that workforce, a highly skilled workforce for the four years I was in that job.
[02:17]
Jeff
It's super, super interesting and obviously so, so important. You mentioned offensive cyber capabilities in the analysis side. Was there a role to play defensively as well and sharing intelligence that could be used to help, you know, organizations, either public or, you know, within the US commercial, to, you know, defend against potential, you know, bad actors, or was it purely more on the offensive side?
[02:42]
Andy Boyd
No. So I mean, and this is an interesting point because there's tactical intelligence and I mean that from a small I, you know, not necessarily just government intelligence, and then there's strategic intelligence and what the CIA does is more at the strategic level. When I was getting out of the retiring from the government, I got a lot of calls from folks asking if I was interested in various CISO jobs. And I said I am not qualified to be a ciso. I am not a network defender and I never have been. But what our strategic analysis looked at is to give the context as to what the cyber threats were, principally from nation states, China, Russia, Iran, North Korea, but also ransomware actors, other criminal actors, a whole variety of hacking schemes, and wrote it at a level for executives really to make decisions onto how to defend the country. I mean, why is China hacking wet basalt typhoon vault typhoon situations? Why were the Russians doing what they were doing with their cyber tools? It, it was useful for context for the, the average CISO, even US government CISOs to use to understand the context, but it wasn't going to tell them how to defend their network. That's a different type of intelligence. Right.
[04:00]
Jeff
And did you find, so I mean you sort of had a front row seat to being able to understand exactly the threat levels that, that, that we could expect here. Did you find that most, you know, kind of organizational leaders, whether they're. Yeah, I'm thinking largely outside the government, but inside the government too. Were they able to properly assess the threat level or did you find they were underestimating?
[04:24]
Andy Boyd
Depends. I mean there's certain industry, you know, our Department of Homeland Security, cisa, which does all the cyber defense and critical infrastructure defense identifies better now. Yeah, well, they identify 16. Oh and they do, but they identify 16 critical infrastructure sectors and certain sectors are extraordinarily good at cyber defense. You know, the financial sector really understands it because it's a no fail mission for them if a nation state or non nation state actor hacks into a major banking system. I mean we're all going to be, you know, hurt by that. But they also, because they're, they're banks, they had the financial resources to have good cyber defense go, go all the way down the spectrum. And there are certain critical infrastructure sectors that, that don't have good cyber defense. And, and it's not necessarily their fault. They sometimes didn't even really consider themselves part of a digital landscape, for instance, water treatment plants, wastewater treatment. And so they, they were victims from nation state actors, from ransomware actors over the other past few years. And so CISA and others have begun to really focus on that. So, so I think it varies from industry to industry and I do think the US government, the private sector is coalescing around a way to defend those critical infrastructures. But it's going to vary from industry, frankly.
[05:51]
Jeff
So when you were leading the center, what kept you up at night and what keeps you up at night these days? And how is the kind of cyber threat landscape changed in that time?
[06:02]
Andy Boyd
I've never slept better since October 2023.
[06:05]
Jeff
I'm happy to hear that.
[06:07]
Andy Boyd
Maybe what, what kept me up. And you know, I spent the bulk of my CIA career serving in the Middle East. I'm Arabic speaker. I did, you know, a lot of work in the counterterrorism space, as most of my Generation did after 9, 11. That stuff kept me up at night, you know, because of the mission, but also worrying about what it all meant, you know. So as, as the leader for the center for Cyber Intelligence, I had less sleepless nights, but it was more of a longer burn than counterterrorism. It's thinking about, you know, do we have the manpower, do we have the infrastructure, do we have the relationship between the government and the private sector to, to really defend against what I think is an existential threat. It's not the kind of threat that takes down the World Trade Center. It's not the kind of threat that results in an airplane crashing into the Pentagon. You know, that's a very visible threat, but it's as much an existential threat with, with a longer burn time. And I'll cite one, you know, private sector example that is not necessarily nation state ransomware actors, which frequently have a dotted line relationship, particularly in Russia, with state actors. But there was a ransomware attack against UnitedHealthcare this past year and a subsidiary of United Healthcare called Change Healthcare, which essentially manages all the pharmacy distribution, cvs, Walgreens in the United States, at least I don't know about Canada, but it may be part of the same system. But I'm not sure that ransomware attack. The ransomware attackers asked for $22 million in ransomware, which was paid. What frequently gets overlooked is that the overall cost and loss in revenue to UnitedHealthcare was north of $1.6 billion. And I think it's still growing. And you multiply that and that's just one company. Now, granted a very large company, but still just one company in one of those critical infrastructure sectors. You multiply that across multiple industries and there's billions and billions of dollars at stake every single day due to cyber threats, due to data theft, intellectual property theft, ransomware attacks, et cetera. So it is an existential threat. So in the aggregate all of that stuff kept me up at night, but I'm sleeping better now.
[08:28]
Jeff
I'm happy to hear that. And I mean even in the conversation so far, you know, there's everything from, you know, existential threats to organizations financially to, you know, attacks on critical infrastructure. You know, if you were advising, and I think in some cases you are, you know, organizational leaders, what, what type of actors would you want them to be most concerned about? Is it, is it nation states? Is it, you know, organized crime? Is it one offs, you mentioned kind of nation state adjacent actors and what are the implications of some of the, you know, some of the, the threats there?
[09:05]
Andy Boyd
So I think, you know, even in the, the very advanced folks like in the financial services industries who have, you know, very strong personnel working on cybersecurity, even they admit that they need to engage with the US Government, be it with dhs, cisa, be it with the entities at treasury or whoever. They're, you know, as, as we like to call it sector specific relationship with the federal government is because they don't know everything and they need to know the strategic context and they under, they need to understand why possibly a state actor would want to attack, you know, a certain network and whatnot. For example, you know, in February 2022, the Russians invaded Ukraine. We, you know, in that, and I was still in the government then, we went through different decisions, you know, at the policy level and what level of support we were going to provide to the Ukrainians. And we had many discussions in policy circles as to what that may trigger as far as cyber attacks, you know, other attacks. But my focus obviously with cyber attacks from the Russians and you know, what I found is a lot of the critical infrastructure leaders in the private sector wanted to understand, okay, what's coming down the pike and what should we be prepared for potentially from the Russians. It turns out that there wasn't much coming from the Russian side against US networks, financial institutions, etc. But that doesn't mean we, you know, that was unknowable in February 2022 and we had to be prepared. And so what was interesting to me is some of the most highly skilled cyber defenders in those critical infrastructure sectors still wanted to understand, you know, what the threat was from Russia. I think the same context we now, you know, again I made reference to Vault Typhoon, which is essentially is the, the People's Republic of China pre positioning tools on critical infrastructure in the event that there is a potentially across Taiwan Strait conflict between the United States and China. Vault Typhoon and then Salt Typhoon, which was Again, some entity within the Chinese government, I suspect their intelligence agency, putting tools down on our telecommunications infrastructure in the United States and using it to collect information against senior U.S. government leaders and others. I think the conversation has shifted away, at least for now, from what the Russians are doing, because that's just. It was sort of a nothing burger for the United States, at least to something that is not a nothing burger. The Chinese threat, both from an intelligence collection perspective and a critical infrastructure protection perspective, and having those industry leaders, telecommunications leaders, be cognizant of that threat, potentially even at a classified government information level, I think is critical. All those conversations are happening, you know, maybe not on a daily basis, but at least on a weekly basis. Right.
[12:09]
Jeff
And, and so, you know, if you had the, the magic power to be kind of everywhere at once across the, I guess the, the, the defend surface.
[12:22]
Andy Boyd
So to speak.
[12:24]
Jeff
Across government and organizations. And let me say first, my goal here is not to expose national weaknesses, but where do you think, where would you be most concerned about shoring up our ability to defend ourselves against some of these attacks?
[12:40]
Andy Boyd
I think most immediately, and this has been talked about in the press quite a bit, I think we have to reset where we are in the telecommunications infrastructure because that undergirds, you know, everything that we do. Luckily. I mean, knowing that that is the threat and it's there is important, but it's going to, you know, the, the telecommunications infrastructure in the United States is sort of a Balkanized infrastructure that was cobbled together from what used to be AT and T, and then it became what we call in the US the baby bells back, back in the 80s. And so as a result, it's not a, a particularly logical infrastructure. And that has to be changed because, you know, the barn door was wide open and that's how the, the Chinese got in. So, so that I would love to see that, you know, be a major focus in 2025 for infrastructure security. But, you know, there's a lot of other things as well. I mean, how, how we, you know, it's, it's something that's evolved over the past two years. The advent of chat, chat GPT and the advances that we have in AI technology. I worry deeply that our intellectual property is getting stolen at a rate that it's almost too late to close the barn door. And we have to develop both defensive techniques against our algorithms, our way of defending our intellectual property and AI and then legislation and then policy that helps us do that. That is my next major concern. As far as the other critical infrastructure sector, you know, gas and oil, transportation, electric distribution, water distribution, wastewater treatment, health care, education, all those are critical infrastructure sectors. We, you know, we have to address those as well. But honestly, we don't have enough bandwidth in the US Government or the private sector to do them all at once. But we'll get there. Yeah.
[14:37]
Jeff
You mentioned policy, and I'm curious from a defensive posture perspective, like, what is the role of policy versus technological defense versus defense in terms of human user training and defending from that perspective? And I'm sure there's a few other dimensions as well. But is it all three? Where do we get the most bang for our buck?
[14:59]
Andy Boyd
I mean, it is all three. And I'll just reference I was last week was the, the rsa, the leading cyber security conference in San Francisco every year, and there was 60,000 attendees. Private sector, global private sector representation, but also international government. And the current administration was very well represented there from the Secretary of Homeland Security, Christine Om, on down military figures, intelligence community figures. And there's obviously very significant differences in policy and human resources practices between the Biden administration and the Trump administration. But what struck me was the seriousness with which the current representatives last week from the administration are thinking about cybersecurity akin to what the previous team in the Biden administration did. So cybersecurity is a, is a bipartisan issue and policy is part of that. And I'll cite one, one point that, that Kristi Nam's deputy talked about at a forum I attended. There's a policy started under the Biden administration called secure by design, wherein software developers don't beta test their, their software on their customers. They actually design it with security in mind and, you know, user experience and functionality and whatnot. I had thought that that was going to change significantly with this current administration and there may be tweaks on it as far as how they address the private sector. But in general, it would appear that, that the new administration supports secure by design and it's going to, you know, set policy parameters in collaboration with Congress on legislation to mandate that private sector software development is done with security as a default in mind, which I think is critically important. So, so the, you know, private sector, how, how they develop software and, and deal with infrastructure policy from, from the White House, the executive branch and the government and legislation from Congress are all critical in my mind, you know, three, three legs of the stool, so to speak.
[17:17]
Jeff
Right. So, you know, you met, you mentioned secure by Design, and to me that's, you know, that's an arrow in the quiver, let's say. Of what an organization can do to, you know, remain secure when you're advising, you know, CISOs or, you know, senior security leaders at different organizations. If they were, if they're asking like, where do I start with this? How do I, you know, what tactics can I put into place to make sure that we're secure? You know, do you have some stock answers for, you know, the best starting points that are going to, you know, have the most outsized impact?
[17:51]
Andy Boyd
It really depends on the size of the company. Like a major bank with tens of thousands of employees can buy an enormous amount of products to, you know, deal with external threats, deal with insider threats, deal with vulnerabilities on their own networks and whatnot, you know, down to, you know, companies of a dozen people or less. And it's more the small companies that, that are, are, are an issue, I think, and they have to really lean on cisa, try to get help from, from the government where, you know, they're not going to, they're going to have to really track or outsource to us because, you know, some companies are too small to even have a CISA or even an it, you know, provider. So they have to be careful who they bring in to, to manage that sort of stuff. Because there's certain small companies that frankly are as important as the big companies. That company that makes, you know, some certain widget for, you know, US Air Force fighter aircraft. If they, if their networks are compromised by a state actor that wants to understand how those jet engines or whatever are assembled, they're equally at risk as the Lockheed Martins of the world are. Yet the Lockheed Martins of the world are going to be able to buy every tool that you can imagine. So I, I, a lot of those discussions happen at rsa. A lot of people focused on like, how do we detect those external threats. But there are an enormous number of products out there for what we would call attack surface management and, you know, looking inside at your own inventory. The bring your own device epoch that we live in makes the defending networks even more difficult because not everybody is going to be as wise as to how to, to secure your own, your own endpoints. So it's a very big job for CISOs or the security providers for those small companies. But what is great now is 10 years ago nobody was really focused on any of that, both at the US Government level and the private sector level. We're having a very open conversation as evidenced last week at rsa. So I do think we're heading in the correct direction to ensure that those Existential threats are minimized to the greatest extent possible.
[20:12]
Jeff
The so, so thinking about those like small and mid sized organizations, I, I mean, I agree with you. I feel like that is the biggest risk and it's the long tail of risk there. If, if the board of one of those companies brought you in and said, you know, Andy, you know, how exposed are we? Do you have sort of like a questionnaire in your mind or you know, a quick cheat sheet for how you would assess their exposure level to threats?
[20:41]
Andy Boyd
I don't have a cheat because again, every company is going to be different. But I have addressed, you know, various boards of directors on that particular issue and I'm on three boards myself. So I'm constantly worried about that as it relates to the companies that, that I'm involved with. But you know, I, what I say is if you're a company that's big enough to have a CISO or a chief security officer, you know, I mean really two things is identity management and ensuring that you don't have people pretending to be other people on your, you know, in your organization and then access control. If you, if you manage those two things, pretty much everything else, you know, takes care of itself. The third thing, and this is, you know, basically since the dawn of, you know, hacking in the 80s, you know, teach your employees about phishing and social engineering and do not click on that link if you don't know it's from. I mean it sounds like, well, yeah, of course not like in 2025 nobody would do that. But the overwhelming majority of ransomware attacks in particular, but also state actor hacking is via spear phishing. And with the advent of AI tools, chat, GPT and the other ones, it makes it a lot easier because previously the emails would be written in gibberish, would be like, okay, this is obviously some guy from, you know, you know, wherever in the planet trying to hack my computer. Click, you know, click on this and we'll give you $200,000 or whatever. Not now. Because of AI tools, you can have idiomatically correct American English and you know, it can sound like it's coming from your boss. So it's a very difficult thing to do there. There are identity management tools that are much more advanced than they were several years ago. But really, I mean that is what I would say to a board is identity management and access control and ensure that people who don't need access to certain SharePoint devices or whatnot don't have that access.
[22:51]
Jeff
Yeah, no, it makes sense. And I think, I think that's very much in line with what, you know, I've heard from security analysts around here anyway. But you did, you brought up AI and you brought it up a little bit earlier. And I want to talk about that for a minute. How in your mind is AI changing the threat landscape these days? I mean, I'll ask that in two ways. How is it changing it from the bad actor perspective? How is it changing it from our ability to defend and you know, net net, what does that mean?
[23:22]
Andy Boyd
You know, so I, I, I think it's it like a lot of advances in technology, both the attackers and the defenders sort of go down that field together and maybe not at the exact same pace, but you know, so again, the social engineering aspect of ransomware is a lot easier with AI tools. Also, you know, someone who really has no vulnerability research or exploit development skills can use AI tools to frankly just build exploits and send them down the pipe with really no training or experience in that as well. And there's, you know, they're not going to be able to build zero days off of AI tools per se, but there's a lot of, you know, the top 10 vulnerabilities on endpoints are all end days and have been out there and unpatched for a very long time. AI tools are going to help bad actors deal with that. That being said, you know, AI tools in the soc in a company's, you know, security operations center are, are advancing at a, at a rate that I never would have predicted two years ago that they would have been. And, and, and automating the ability to see what the threat landscape is out there, automating the ability to look inside your network and watch changes on endpoints and you know, actors that are doing things that are outside the normal, the average human is not going to be able to detect those abnormalities and shut them down. So I mean, I think, you know, over time, frankly over the next year or two, I think a lot of those security operations center tools are going to be completely, completely driven by AI. Other AI tools and folks that I saw out at RSA and ran at RSA last year using those AI tools to detect deep fakes, to detect audio fakes, a lot of audio fakes. I mean, a number of your viewers and listeners may have been getting random spam calls on their phones. Don't ever answer them. Because what I think what we think people are doing is trying to get a voice cut from you and then use that for audio deep fakes to use. Like if you use an audio or a voice imprint for getting access to your bank account or whatever. I think a lot of the banks are moving away from that, thank God, and using different forms of mfa. But all of those tools are being developed video, like detection tools for video deepfakes. I mean, I, A friend of mine has developed an audio deepfake tool which you may remember from the election when President Biden was still in the race. Somebody made a deep fake of his voice telling people not to go to the polls in New Hampshire during the New Hampshire primary. It sounded exactly like him. This guy's tool was able to detect that that's not actually President Biden. Um, and, and those sort of. And that's a very, you know, famous example. But that sort of stuff at a much lower level happens on, almost on a daily basis. So I'm very confident where we are as defenders, you know, on both sides of that AI equation, but also from, from just a, a, a how we build software in general. I think a lot of the writing of software is going to be done using AI tools, leaving the human to work on, on more advanced things or enhancing the user experience and whatever the software tool is. And so, you know, there's been a lot of talk, oh, it's going to replace, you know, people shouldn't go to get computer science degrees anymore because you're going to be replaced. And, you know, why learn how to code when AI is going to do it? You still have to learn how to, how to code. If you're going to be in that industry, it's just going to make your job a lot easier and you can work on other things and you can, you know, quality check as opposed to, you know, writing the basics of software development. So I think in the aggregate, AI tools are going to be great for the cybersecurity industry.
[27:29]
Jeff
That's great. And yeah, I tend to agree on the coding side. And, you know, what I think about too is it's like engineering as a field didn't disappear when the advent of the calculator came along. Right. Or the computer. It's, you know, it automates some of the, you know, some of the more operational stuff, but, yeah, fair enough. I did want to ask you though, Andy, whether it's AI related or not. And, you know, I'll let you use your own discretion in answering this, but can you tell us maybe a little bit about any, any cyber attacks or capabilities that you uncovered that surprised you with their sophistication or even their innovation?
[28:16]
Andy Boyd
Yeah, I don't know if it's innovation per se. It's, it's the brazenness of it maybe. And I'll go back to the Vault Typhoon, Salt Typhoon. I mean a number of experts have discussed this in the press, so it's not particularly sensitive, but I mean it's sensitive to the industries but not from a intelligence perspective. The Vault Typhoon pre positioning of tools was, was executed using what we call living off the land techniques. So it wasn't some very sophisticated zero day exploit. It was essentially looking for those vulnerabilities and using what is already existing out there as far as tools go. So, so that the very aspect or the very act of living off the land, of using end days or tools that you can find on the dark web, you really don't look like a major nation state actor. And so it took a long time for us both in the private sector and the government to detect that. And, and that was pretty gutsy on the, on, on the, on the, you know, the People's Republic of China government, we think the, the military, cyber entities, pre positioning tools and infrastructure in the Indo Pacific pre positioning tools on infrastructure in the United States, but just you know, being very hard to detect because it's not, it doesn't look like nation state actors. So that, that surprised me in that sense. What also surprised me, another Chinese attacks, the Salt typhoon attack was that they really studied the target and again it wasn't a sophisticated zero day per se, but they, they studied the vulnerabilities and built what they needed to, to get in those networks. And it was essentially not unlike the Ball Typhoon exploiting our own weaknesses. So it's, it's, it's taken a change in how we analyze the threat previously was like okay, sophisticated actors, zero days, they're really going to build something that is just so innovative and we hadn't seen before and it's actually really the opposite now. It's using our own vulnerabilities and exploiting those which did surprise me that that technique is being used. So we just have to be much more cognizant of that and be more cognizant of our own weaknesses. Just like if you're the CISO at a medium sized company, it's important to know what the threat is externally, but you have to deeply understand your own vulnerabilities, your own endpoints, your own network vulnerabilities or what's on the outside is going to have a much easier job getting on the inside.
[30:55]
Jeff
When you talk about vulnerabilities and weaknesses, can you, can you add a little bit of color to that. What, what types of vulnerabilities are we talking about here?
[31:03]
Andy Boyd
Unpatched endpoints. I mean, it, at the end of the day, ransomware actors, you know, foreign intelligence organizations or entities that want to conduct disruptive or destructive offensive cyber attacks, they want to land on an endpoint. And if the endpoint is a desktop, a laptop, a phone, those were, the vulnerabilities are. So, you know, for all of your viewers and listeners, you know, update your software on your endpoint. If you're an Apple user, update as frequently as possible. If you're an Android user, update as frequently as possible. And the same goes for your desktops and laptops. Now, you know, in 2025, that's fairly easy if you're paying attention. But you know, there's other things on your networks that are patched less frequently. There's, you know, your, your WI fi routers, your, your network devices that, unless you're an IT professional or a ciso, you don't really think a whole lot about those. And, and that, you know, worries me. Vulnerability is on those that are, you know, eventually identified by CISA and they get a CVE rating and, and whatnot. But you really gotta be paying attention. You have to like be patching those things on a, on a, on a routine basis. The other concern is IoT devices which are very rarely patched. You know, I, I, you know, we now have, you know, refrigerators that seem to be like sentient beams in, in and of themselves. And those, those are attack vectors. If they're on your network, if they're networked in with the rest of your devices, that is a very significant vulnerability. And I do think, you know, we focus on IT security, but there's OT security, operational technology that I really think we need to focus more on because that, that is a significant vulnerability. And then finally, you know, I referenced earlier the bring your, bring your own device, which sort of dominates, you know, most companies now. It's, it's understanding, it's for the CISO and the IT professionals, the CIOs, if a company is big enough to have a CIO, to understand what the threat vector is from those bring your own device situations and ensuring that you have policies and an ability to check that your employees are actually doing what they're supposed to do and updating software on their own devices.
[33:25]
Jeff
Right. We've talked, we've talked mainly about kind of organizational risk and there we talked a little bit more about device level risk and how you get into the networks. One of the threats I'VE been hearing more about lately and I don't know if it's been on your radar, Andy. I imagine it is in some capacity is. I've heard it described as, I think it's called pig butchering scams or basically human engineering approaches where you actually build trust over a long period of time and then you have progressively bigger asks and find ways to exploit people at a level that ends up being millions and millions of dollars. Is that, is that something that's on your radar? And how does that fit into the, you know, the broader threat landscape?
[34:12]
Andy Boyd
I mean, it is and it's especially concerning for vulnerable, you know, populations, you know, older people. I mean, you know, my, my mother and father are older and now granted, I brief them on that and so they don't, they don't have not yet fallen victim to that. But it happens on a daily basis. And there's entire, particularly in Southeast Asia, it's developed into a thing where there's entire offices or warehouses filled with folks that are, that are working on these schemes. You know, it's not all that different than years ago when, you know, the Nigerian prince would call you up and say, hey, I just need a loan of $50,000 and I'm going to give you a million dollars in return. I mean it's, it's the same sort of social engineering idea. It's just that it's been, it's being done at a scale that it hadn't been done before. That being said, I mean, a lot of foreign governments, even the Chinese government is very focused on it and is very concerned about it. I mean, there's Chinese nationals that have been lured into working in these, you know, pig. But train farms or whatever, whatever we want to call them. But as far as like cyber threats writ large, you know, nation state threats, ransomware threats, I still would not put that in my top five of things that I focus on. I do think it's, it's a major threat to vulnerable populations. But as far as existential threats to our livelihoods, I don't really consider it rising to that level.
[35:52]
Jeff
Makes sense. So going back to that level, into that top five, if you think about our current, I'll call it exposure and infection, to what degree are you worried? Like we've talked about some of these tools, we've talked about critical infrastructure. Are we already significantly exposed in a way where if some of these nation states wanted to move to, you know, more of like I'll call a hot phase of, of cyber where they could, they could, you Know, push a button and, you know, really cripple cyber infrastructure or are we sufficiently defended now? And it's about staying defended, like, where are we in that cycle?
[36:31]
Andy Boyd
So I, you know, I, I'll use a couple of, of descriptors for that. So, you know, again, I mentioned earlier that I spent much of my career in the counterterrorism space. And immediately after 9 11, there was a number of US government agencies that were kind of doing their own thing. We hadn't really coalesced into a, into a organized entity. We did quite quickly over time, the intelligence community, the special operations community, the law enforcement community, and then all of our foreign partners to the point where by, I would argue, you know, mid-2002, we had a pretty good, you know, set of tools within the US Government and our allies to fight that terrorism fight. I think we're in that continuum right now in 2025 where we're coalescing our, our, you know, government capabilities on the defensive, on the offensive, on the strategic analysis, on the policy and on the legislation. The major difference between what we're doing today and cyber threats and what we did in counterterrorism is that arguably 90%, maybe even more, 95% of the attack surface is owned by the private sector. That's a big difference. And so what that coalescing is including the private sector. But you know, for instance, some of the US Government leaders that I referenced earlier were part of roundtables with CEOs, CSOs, CISOs at RSA last week. And we were talking collectively about a strategy on how to deal with that, what our weaknesses are. And really, you know, looking at what are who, who owns the defensive responsibilities, who owns, you know, the middle road, the active defense of yanking threats off of data centers, other, you know, US owned or, you know, North American networks, and then who owns the offensive side, the actual active offensive side. I argued that offensive cyber operations are really the realm of governments, you know, in theory, under appropriate authorities, delegating to certain private sector companies. But you're not going to have, you know, the telecommunication industry, you know, hacking into the Chinese telecommunications industry in revenge for salt typhoon. That's just not the way it's going to work. But it was very useful to have that dialogue. So are we vulnerable? Yes, we are vulnerable. But are we aware of those vulnerabilities as, as an industry? Yeah, we just have to have the policy and the legislation to support both the defense, the, you know, the just defending networks, the standard ciso, CSO type activity, the active Defense of having the authorities to, you know, if you're a company that owns data centers, actively removing foreign threats once they've been identified, either by your own situational awareness or intelligence provided by the government. And then how we go about using offensive tools in Washington at least you hear a lot of people talking about wanting to get more aggressive on offensive cyber. The problem is sometimes they don't define what they mean by that. And so I'm spending quite a bit of time helping people get to a definition of what they mean by that. Because to your point, are is some foreign entity can just push a button and attack our critical infrastructure. It doesn't work that way. There are three components of effective cyber attacks. Speed, control, and intensity. And they're all sort of countervailing variables. You can have some really intense cyber attacks, but they're going to be out of control. And then you get sort of a worm that goes globally breaking everyone's networks. There are certain actors that are happy to do that, but you really can't affect and disrupt and destroy particular targets if you're going to do it that way. So we just as a government and with our allied partners, really need to come to coalesce around what we mean by offensive cyber and how that is going to contribute to the defense or more importantly, as a deterrent to foreign cyber attack. But all those conversations are going and that some people think, you know, people in glass houses shouldn't throw stones in context of offensive cyber operations. I mean, you know, our foreign adversaries have pretty fragile glass houses as well. So I think we're all on the same, you know, playing field there.
[41:01]
Jeff
So the offensive cyber is exactly where I wanted to go. And it's already interesting, you kind of distinguished offensive cyber versus what you called active defensive. Are we would you consider us in a state of either cold cyber warfare right now with any nation states or hot cyber warfare? And what, what do you like, how would you describe our current posture toward, you know, offensive operations there?
[41:31]
Andy Boyd
No, so I, I, I don't think we're in a state of constant cyber warfare. I mean, it just, it's, it's, I mean, warfare involves bombs and, you know, guns and, and death and destruction, and we've never seen a cyber attack, you know, result, you know, quite in that. So I mean, I think a lot of what we see as, or get interpreted as cyber attacks are really intelligence operations collecting information on whatever the target may be. And sometimes it's not U.S. government. I mean, the Chinese have stolen an enormous amount of intellectual Property from, you know, a variety of industries. Is that cyber warfare? I don't think so, really. It's intelligence operations, but in a very different context than we would use our intelligence tools. The volume Typhoon pre positioning of tools. Is that an act of warfare? Yes, theoretically, but it's really preparing for potential warfare. So, I mean, we are in a very, you know, active period of, of, you know, doing reconnaissance against our adversaries in cyberspace to understand what the threat is, but we're not, we're not in a period of, of act. Act of active warfare. Now, on the, on the military side, Cyber Command has a mandate to, to continuously look at these various networks in case of wartime against a whole variety of adversaries. Not, that's not necessarily just the Chinese, Russians, Iranians and North Koreans. But again, I, I would argue that's akin to, you know, driving an aircraft carrier like, you know, off the coast of an adversary nation. They know you're there. They, they, they know you're in the cyber context. They know you're in the networks. And it does act as a deterrent in some ways. It's not a very public deterrent like an aircraft carrier, but it's, it is in a lot of ways a similar sort of thought process.
[43:31]
Jeff
So that's, that's exactly what I wanted to ask you about next. So is it, are we currently in a state where we're able to use, you know, the threats of cyber warfare or, you know, offensive cyber operations as a deterrent? And in your mind, you know, is that an effective strategy that we should be pursuing?
[43:54]
Andy Boyd
We are not yet there, but that conversation is happening. And, and the conversation also, you know, happened during previous attacks, be it. Or. Sorry, I'm using the long language because it wasn't attacked. The Solar Winds incident, which was an intelligence collection operation, or the ransomware attack on Colonial Pipeline, where, you know, our, our gasoline distribution got shut down on the, the Eastern seaboard several years ago? Um, you know, so, so there was a lot of discussions on how you respond to that. You don't necessarily need to respond to a cyber incident with cyber tools. You can use diplomatic tools. You can use sanctions. You can shut down embassies or consulates, eject, you know, foreign, foreign adversary diplomats, what, whatever the, the case may be. But as far as a true cyber deterrence, we're still having that conversation yet. And, and haven't, you know, coalesced around what that looks like. But, for example, the Iranians attacked water treatment facility Iot devices that were made in Israel but used In Pennsylvania, New Jersey and Texas. I believe last year they attacked these as sort of a demonstration of their, their approb against us for having an Israeli company, you know, manage our, our water treatment. I believe a deterrent step on that is, is that if an attack like that happens again, we should have a reciprocal. Again, I'm not in a policy position, but this would be, my recommendation is to have a reciprocal attack to say, we know you did this. Now we're going to do something to your water treatment plant that doesn't result in, you know, death and destruction. But, but it is a point that, which I think in the aggregate will be a deterrent, will have a deterrent effect against the Iranians or whatever other actor it is. And, and I'll cite as, since we're talking about Iran, I will cite what the Iranians have used their cyber tools for in the past in what we, I would call coercive diplomacy. It's not warfare. It's, it's something other than warfare. But the Albanians were hosting the Mujahedin Al Hal, which was an Iranian opposition organization, and the Iranians didn't like that. And they put pressure on the Albanians to eject the Mujahideen Al Hawk from their safe haven there in Albania. And the Albanians were, you know, not listening. So the Iranians shut down the Albanian government networks, I mean, really destroyed the networks and, and did not try to hide, had the intended effect. The Albanians started rethink thinking whether they were going to host the Mujah Bin Al Hulk. So I mean, countries do use their cyber tools in, to achieve diplomatic or defensive ends. We just have not really done that yet and for a variety of policy and legal reasons. But I think we're, you know, we're, we're moving the policy in a direction where we're going to have those offensive tools at the ready more so than we have in the past.
[46:58]
Jeff
I love the, I love the analogy of, you know, the aircraft carrier and being able to just, just have kind of a. I don't know if you can. I've never, I've never called an aircraft carrier subtle before, but like a subtle display of strength and deterrence there or even, you know, I think more recently of like surfacing a nuclear sub, right? Like just being able to show like, hey, we're here. We have the capability.
[47:19]
Andy Boyd
And the Navy has done that for years. I mean, that's why, you know, Navy ships around the world make port calls. It's in part so that the sailors can get off and relax a little bit. But the real reason is a show of force saying we're here. You make reference to submarines. You know, we're here. We're, you know, one country away from whatever adversary it might be. And so it does send a message. I mean, it's harder to do that in cyberspace. But, you know, we, we have cyber part, both on the military side and across the U.S. government. We, we have cyber relationships, defensive and offensive cyber relationships across the globe. And our adversaries are aware of that, and that sends a message as well.
[48:02]
Jeff
Yeah, you mentioned Iran, and it came up in a few different contexts there. When I think of offensive cyber operations, still, the number one that comes to my mind ever is probably stuxnet. And I'm curious. I mean, first of all, and for listeners or viewers who aren't familiar with stuxnet, it was, you know, if I can call it a virus, it was malicious code that was injected into Iranian, you know, nuclear refineries or plants that, like, really set back their nuclear program. And so, I mean, a couple of questions for you, Andy. First of all, is stuxnet in your mind still the greatest, like, the most impactful example of, you know, cyber offensive operations? And second of all, do you expect us to see another from, from. Not just from the US or Israel or whoever, globally, do you expect to see another Stuxnet sized moment in the next five years?
[49:03]
Andy Boyd
So, you know, I, I, I will neither confirm nor deny my own knowledge of that, outside of a fantastic book by a good friend of mine, Kim Zetter. There's a book called Countdown to Zero Day, which is the most detailed account of the stuxnet event. And what I would say differentiates what Kim talks about in that book is the very specific, using process plc, process logic controllers, and a very targeted thing to achieve a specific policy goal. Right. And that goes back to my speed, intensity, and control. You, you can do it fast, you can do it intense, you can do it controlled, but all those variables have to be in sync. And I would argue, and again, the way that Kim Zetter outlines it in her book, that all those variables were in synchronicity, and that's a very, very rare effect. So are we going to see more of those in the future? Yeah, maybe. I mean, if a nation state, United States or others, is trying to achieve a very specific goal in an operation short of war, maybe. But again, I'll go back to February 2022, and the Russians, I mean, we, we expected, you know, Stuxnet, like cyber attacks from the Russians against the Ukrainians, against NATO, our NATO partners against us, if we supported the Ukrainians. And for the most part that did not happen. I mean, there was one, the day before the Russians invaded Ukraine, there was a one, one attack against the satellite communications network that was fairly effective. That indicated to us that they had pre planned that and thought that one out. But if you don't, if you, as a, as a, as a government, in this case, the Russians didn't very specifically plan out like one would plan, you know, the invasion and they didn't do a very good job of planning their invasion, you're not going to have effective cyber attacks either, you know, so, so again, to the whole point, like, can people just push a button? No, it has to be very well thought out and have a very specific objective. Something I would think in the next five years in, in international arena will, you know, trigger the need for some nation state to do that. But it's not going to be like in the movies where like the power goes out, you know, from Los Angeles to New York. It just, it just doesn't work that way. It would have to be very specific. They want to take down X or they want to do have, you know, Y effect on a particular network. And then, you know, if that happens, I hope, you know, Kim Zetter writes another book, you know, so that I, I can reference that by, you know, my own knowledge of it.
[51:55]
Jeff
Right. I do want to come back to the Russian piece though, and you described it earlier is like that the cyber warfare component of the Ukraine invasion as a nothing burger. And in some ways, at least from what I've read, I've read varying things from either. Yes, it was truly a nothing burger to wow. There was actually more than we're hearing about publicly and there were some operations there. But as far as I can tell, we were almost caught off guard by how absent the cyber warfare element was from that invasion. And I'm curious if you have any insight or speculation as to why.
[52:32]
Andy Boyd
So, so the why is, is, is multifaceted. I mean, I, I do, I do think the Ukrainians beefed up their defenses after not Petia and various other cyber attacks starting, you know, when the, the Russians invaded or occupied Crimea back in 2014 on through 2017 and then up until 2022, they built out their own government cyber defenses very, you know, in a very robust manner. They also partnered with Western cyber defense companies, they partnered with Microsoft and a whole variety of other other foreign entities. I mean, all of that, you know, quadrupled after the invasion, but they had already built up those relationships. So that's one, I mean, the defenders had a vote. Two goes back to my, my, my other point where, you know, you had that highway going up towards Belarus into Ukraine where tanks, Russian trucks were all like stuck because they didn't think through the logistics and the fuel necessary for that, for that invasion. There was a corollary on the cyber side. They didn't plan particularly well on the cyber attacks. They didn't really inform the leadership of the cyber entities to the degree that they needed to. So you know, you need very detailed planning to have effective cyber attacks. So I think that's the second variable that, that, you know, made it what we thought were going to be more intense attacks just, just never happen. And then the third is, you know, the Russian Vladimir Putin's perception that if he escalated cyber attacks against NATO or just the United States or NATO writ large, that may have been an escalatory event that triggered something that the Russians didn't want to deal with. I mean, in their mind the Ukrainian invasion was going to be a short lived thing. It wasn't and they didn't want to escalate. And I do think, and maybe correctly, you know, Putin continues to fear that, that escalation. Despite the fact that we crossed almost every red line that we've predicted, you know, providing weapons to the Ukrainians, cutting off the Russians from the banking system, the swift system and whatnot. And they, and they, you know, you know, still didn't retaliate for that. And then the fourth variable actually is, I mean, if the Russians destroyed all the Ukrainian networks en route to their invasion, they would have no networks to use when they got to Kiev. I mean, they thought it would be a short, a short lived invasion. They would occupy, they would take over the country and they were going to need those networks. And so once, once it was clear that that wasn't going to happen, they, you would have thought they would have conducted cyber attacks against the networks in Kyiv or the electric grids. But instead what they did is, is they used, you know, artillery and missiles and rockets and whatnot. In my mind, if they actually had the tools to attack the electric grid in Ukraine, they would have, because a cyber attack is certainly cheaper than sending ballistic missiles against the electric grid. So, so, so I think, you know, all four of those variables are relevant and I think that inform, will inform how we assess nation states, routes going forward. But we shouldn't, you know, over learn those lessons because China is a very different place than Russia.
[55:59]
Jeff
Yeah. So as we think about threat vectors, Going forward. You know, I think lots has been said about this, and I don't want to necessarily rehash it, but in your mind, are there any kind of underreported or, you know, undercovered threat vectors that you think should get more airtime or should be higher on people's minds?
[56:23]
Andy Boyd
I mean, not necessarily, although, you know, we focus in this industry a lot on things that we discovered. We talk a lot about, you know, the telecommunications industry because of the Sol typhoon attack. What I worry about is the thing that we haven't discovered yet. So as soon as we identify a threat, we should start pivoting off to, okay, what are we missing? We discovered Volt typhoon and penetrations of critical infrastructure in that context, but what are we missing? And so I think it has to be a constantly refreshing discussion on the threat vectors. There's the known knowns, the known unknowns, and then the unknown unknowns, to use a phrase that former Secretary of Defense Don Rumsold used to use. It's the unknown unknowns that concern me deeply within the critical infrastructure sector. And it just takes a lot of creative thinking from cyber defenders to think those through and to have a public dialogue about it. The only thing that we should, we should do behind closed doors in the US Government is if we have intelligence that we can't, you know, discuss publicly due to sources and methods, but otherwise we should have a very public discussion on these threats because, you know, there's plenty of industries out there that are not going to have access to the US Government on, on a, on a direct basis, and they need to be part of the dialogue.
[57:51]
Jeff
So what's your best advice for CISOs and for boards, you know, across the private sector on, you know, their, like, your best advice for how they keep themselves safe and contribute to keeping, you know, the nation safe.
[58:07]
Andy Boyd
So for boards or, you know, chairman or CEOs might, and people in this industry will, will recognize this point. But stop treating your CISOs like they're basement dwellers and they don't belong at the board meeting or they don't belong in the C suite. If you're serious about cyber security, then treat your CSO and your CISO like part of the leadership team. For years, CISOs have been treated like, oh, yeah, we gotta hire a ciso, but we don't really want to see them, you know, and just sort of lock them in the basement and that'll be fine. Because. Because what, you know, policy and legislation, in some ways, it's already there, but more is coming. If you don't as a CEO or a board member, understand the threat vector and have a routine conversation with your ciso, with your cso, you're going to be liable for cyber attacks against your customers data or whatnot. So that's the advice for the boards and other leadership entities at various corporations for the CISOs. My, and I mean I could recommend, you know, go on for an hour about various tools, various threat vectors to worry about. But I think the best strategic advice I would offer to any CISO is just, just as it's incumbent on the board to understand the ciso. The CISO has to understand the board and you can't be, you know, you know, know, crying wolf every time there's a threat vector because your job is to prevent those threat vectors. And you have to understand, and a lot of folks in, in the cyber security industry are, are very, you know, channeled down that cyber security realm. You have to understand what is important to your CEO, what's important to your cfo, what's important to the board and what matters from a product development perspective, what matters from a revenue perspective and, and frame everything that you do as a CISO or CSO into how you're contributing to the mission of that company, the whatever the product is, be it a software company or, or, or you know, a, a toy manufacturer, whatever the case may be. Because you know, for years again, CISOs were locked in the basement by the CEO, but they kind of liked it, they kind of liked being in their own world. CISOs cannot just sequester themselves in their own world. They have to be part of, of the dialogue and they have to have reasonable requests for investments in security. You know, how explain to the CEO and the board how an investment in million dollars in attack surface management tools or network, network defense tools, why it matters and what the cost will be if they don't invest that. And that's hard. A lot of it. Security professionals don't necessarily know to have how to have that dialogue with the senior leadership in their companies, but they have to learn.
[60:59]
Jeff
Well said. It makes sense and I think that's extremely powerful advice for both sides there. Andy, I did want to ask you dangerous question. What's your craziest cyber career story that you can share today?
[61:19]
Andy Boyd
I don't know if it's crazy. It was a wake up call for me on the importance of cyber as it relates to the intelligence community, but how it relates to national security writ large. And it again goes back to February 2022. I received a call from the Director of CIA Bill Burns at the time that I needed to participate with him in White House level meetings, you know, cabinet level meetings, not as a cabinet member, but as a backbencher supporting him. And I was like, that's weird. I'm not the guy in charge of, you know, that thing in Europe. But it was because of, of the potential for cyber threats that were out there that, that I participated in those conversations. And, and that was a wake up call to me where, I mean, I was very cognizant of our capabilities in cyberspace and, and, and whatnot. But it was a wake up call to me, like, oh, wow, this is, we're, we're now cyber warriors, so to speak, are now at the front table. And you know, frankly, it's a corollary to what we just discussed about CISOs. Like, I didn't sequester myself in the basement as director of cci, but I didn't necessarily think I was going to be at that table for that particular, particular discussion. But cyber defense and cyber strategic analysis is infused in everything now, so I shouldn't have been surprised, but that was, that was a very surprising moment in my tenure as a cyber leader.
[62:51]
Jeff
Well, I mean, it's amazing and it speaks. On the one hand, I'm glad that that's starting to get that recognition, but it speaks to the importance of it and, you know, it kind of acts as a beacon. I would hope to, you know, some of the organizations that are maybe, you know, are maybe resisting, you know, that position and want to keep CISOs in the, the basement, so.
[63:11]
Andy Boyd
Right, right.
[63:12]
Jeff
Awesome. Andy, this has been a super, super interesting discussion. I wanted to say a big thanks for joining today. So we, we covered a lot of ground and I really appreciate your insights.
[63:23]
Andy Boyd
Thank you, Jeff. I really appreciate it and I enjoyed our conversation.